b'                 Fiscal Year 2004 Evaluation of Information Security\n\n                          at the Railroad Retirement Board \n\n                        Report No. 04-11, September 30, 2004 \n\n\n                                    INTRODUCTION \n\n\nThis report presents the results of the Office of Inspector General\xe2\x80\x99s (OIG) evaluation of\ninformation security at the Railroad Retirement Board (RRB).\n\nBackground\n\nThe RRB administers the retirement/survivor and unemployment/sickness insurance\nbenefit programs for railroad workers and their families under the Railroad Retirement\nAct (RRA) and the Railroad Unemployment Insurance Act (RUIA). These programs\nprovide income protection during old age and in the event of disability, death, temporary\nunemployment or sickness. The RRB paid out nearly $9 billion in benefits during fiscal\nyear (FY) 2003.\n\nThe RRB\xe2\x80\x99s information system environment consists of two general support systems\nand seven major application systems. The two general support systems are the data\nprocessing system, which supports all mainframe computing activity, and the end-user\ncomputing system, which supports the agency\xe2\x80\x99s local and wide area networks.\n\nThe major application systems correspond to the RRB\xe2\x80\x99s critical operational activities:\npayment of RRA and RUIA benefits, maintenance of compensation and service records,\nadministration of Medicare entitlement, financial management, personnel/payroll, and\nthe RRB\xe2\x80\x99s financial interchange with the Social Security Administration. Each major\napplication system is comprised of one or more component systems.\n\nThis evaluation was conducted pursuant to the E-Government Act of 2002 (P.L. 107-\n347), Title III, the Federal Information Security Management Act of 2002 (FISMA).\nFISMA, like its predecessor the Government Information Security Reform Act (GISRA),\nestablishes program management and evaluation requirements including:\n\n      \xe2\x80\xa2   annual agency program reviews,\n      \xe2\x80\xa2   Inspector General security evaluations,\n      \xe2\x80\xa2   an annual agency report to the Office of Management and Budget (OMB), and\n      \xe2\x80\xa2   an annual OMB report to Congress.\n\nInformation security means protecting information and information systems from\nunauthorized access, use, disclosure, disruption, modification or destruction in order to\nprovide integrity, confidentiality and availability. FISMA requires agencies to report\nsignificant deficiencies in policy, procedure or practice as material weaknesses in\ninternal control in reports issued pursuant to the Federal Managers\xe2\x80\x99 Financial Integrity\nAct.\n\n\n                                            1\n\n\x0cThe OIG conducted security evaluations pursuant to GISRA during FY 2001 and FY\n2002 and FISMA in FY 2003. These evaluations disclosed weaknesses throughout the\nRRB\xe2\x80\x99s information security program. The OIG cited the agency with material\nweaknesses due to significant deficiencies in access controls in the data processing\nand end-user computing environments and in the training provided to staff who have\nsignificant security responsibilities. Evaluations conducted during FY 2000 and FY\n2001 by specialists under contract to the OIG had disclosed the need for improvements\nin security controls in both the data processing and end-user computing support\nsystems.\n\n\nObjective, Scope and Methodology\n\nThe objective of this evaluation was to fulfill the requirements of FISMA by assessing\nthe effectiveness of the RRB\xe2\x80\x99s information system security program and practices\nduring FY 2004.\n\nIn order to accomplish our objective, we monitored agency efforts to implement\ncorrective actions in response to the findings and recommendations presented in prior\nOIG audit reports as well as third-party evaluations conducted at the request of the OIG\nincluding:\n\n   \xe2\x80\xa2\t \xe2\x80\x9cInformation Systems Security Assessment Report,\xe2\x80\x9d Defensive Information\n      Operations Group, National Security Agency, June 28, 2000;\n   \xe2\x80\xa2\t \xe2\x80\x9cReview of RRB\xe2\x80\x99s Compliance with the Critical Infrastructure Assurance\n      Program,\xe2\x80\x9d August 9, 2000, OIG Report #00-13;\n   \xe2\x80\xa2\t \xe2\x80\x9cReview of Document Imaging Railroad Unemployment Insurance Act\n      Programs,\xe2\x80\x9d November 17, 2000, OIG Report #01-01;\n   \xe2\x80\xa2    \xe2\x80\x9cSite Security Assessment,\xe2\x80\x9d Blackbird Technologies, Inc., July 20, 2001;\n   \xe2\x80\xa2    \xe2\x80\x9cSecurity Controls Analysis,\xe2\x80\x9d Blackbird Technologies, Inc., August 17, 2001;\n   \xe2\x80\xa2\t \xe2\x80\x9cReview of Information Security at the Railroad Retirement Board,\xe2\x80\x9d February 5,\n      2002, OIG Report #02-04;\n   \xe2\x80\xa2\t \xe2\x80\x9cReview of the Railroad Retirement Board\xe2\x80\x99s Controls Over the Access,\n      Disclosure, and Use of Social Security Numbers by Third Parties,\xe2\x80\x9d August 26,\n      2002, OIG Report # 02-11;\n   \xe2\x80\xa2\t   \xe2\x80\x9cFiscal Year 2002 Evaluation of Information Security at the Railroad Retirement\n        Board,\xe2\x80\x9d August 27, 2002, OIG Report #02-12;\n   \xe2\x80\xa2\t   \xe2\x80\x9cEvaluation of the Self-Assessment Process for Information System Security,\xe2\x80\x9d\n        December 27, 2002, OIG Report #03-02;\n   \xe2\x80\xa2\t \xe2\x80\x9cEvaluation of RRB E-Government Initiative: RUIA Contribution Internet\n      Reporting and Payment,\xe2\x80\x9d December 27, 2002, OIG Report #03-03;\n   \xe2\x80\xa2\t   \xe2\x80\x9cReview of the Railroad Retirement Board\xe2\x80\x99s PIN/Password System for On-Line\n        Authentication,\xe2\x80\x9d September 8, 2003, OIG Report #03-09;\n                                            2\n\n\x0c   \xe2\x80\xa2\t \xe2\x80\x9cReview of the Systems Development Life Cycle for End-User Computing,\xe2\x80\x9d\n      September 8, 2003, OIG Report #03-10; and\n\n   \xe2\x80\xa2\t \xe2\x80\x9cFiscal Year 2003 Evaluation of Information Security at the Railroad Retirement\n      Board,\xe2\x80\x9d September 15, 2003, OIG Report #03-11.\n\nWe also considered the findings and recommendations reported as a result of the\nfollowing evaluations conducted during FY 2004:\n\n   \xc2\x83\t \xe2\x80\x9cReview of Mainframe Access Controls at the Application Level: Federal\n      Financial System,\xe2\x80\x9d September 07, 2004, OIG Report #04-07;\n   \xe2\x80\xa2\t \xe2\x80\x9cReview of Mainframe Access Controls at the Application Level: RRB-Developed\n      Applications Controlled by ACF2 and IDMS,\xe2\x80\x9d September 07, 2004, OIG Report\n      #04-08; and\n   \xc2\x83   \xe2\x80\x9cReview of Mainframe Access Controls at the Application Level: Program\n       Accounts Receivable System,\xe2\x80\x9d September 09, 2004, OIG Report #04-09.\n\nOur work was performed in accordance with generally accepted government auditing\nstandards as applicable to the objective. Fieldwork was conducted at RRB\nheadquarters during May through August 2004.\n\n\n\n\n                                          3\n\n\x0c                                    RESULTS OF EVALUATION \n\n\nAgency management continues the process of strengthening information security.\nHowever, significant deficiencies in access controls and program management continue to\nexist. As a result, information security remains an area of material weakness in internal\ncontrol.\n\nThe OIG\xe2\x80\x99s conclusions with respect to information system security are based on previously\nreported weaknesses in training and local area network access controls for which\ncorrective action has not been completed, and FY 2004 evaluations that disclosed\ncontinued weaknesses in the agency\xe2\x80\x99s mainframe access controls. Our findings with\nrespect to the implementation status of prior recommendations for corrective action and a\nsummary of weaknesses identified during our FY 2004 evaluations follow.\n\n\nStatus of Prior Recommendations for Corrective Action\n\nDuring FY 2004, agency management has continued to implement OIG recommendations\nfor improved information security. The OIG monitored 132 recommendations for\ncorrective action. As of March 31, 2004, 84 recommendations had been fully\nimplemented, 11 had been rejected and 37 were pending further agency action.1\nHowever, the RRB has not completed the corrective action needed to eliminate the\npreviously reported deficiencies in training and access controls that were the basis for the\nOIG\xe2\x80\x99s original finding of material weakness.\n\nIn addition, reviews conducted during FY 2004 indicate that completed corrective actions\ntypically address only the specific situation cited by the OIG. Agency managers have not\nextended the underlying principles to the related elements of the information security\nprogram as a whole. In some instances, the OIG\xe2\x80\x99s recommendation was construed very\nnarrowly and, as a result, the agency\xe2\x80\x99s corrective action had virtually no effect.\n\nFor example, BIS previously reported implementation of an OIG recommendation to\n\xe2\x80\x9cinclude all systems in the review and re-authorization process and mandate the frequency\nof the process for each mainframe system.\xe2\x80\x9d2 OIG evaluations conducted during FY 2004\nrevealed that although scheduled, some re-authorizations were not performed. Similarly,\nagency action to \xe2\x80\x9cimplement security logs as an effective control by ensuring that all\ncritical activities are subject to logging\xe2\x80\xa6\xe2\x80\x9d did not include all systems.3\n\nA summary of the status of audit recommendations pertaining to information system\nsecurity is presented in Appendix I.\n\n1\n  These totals do not include recommendations presented in OIG Reports #04-07, #04-08, #04-09 which \n\nwere finalized after March 31, 2004 and for which the status of implementation was not monitored during FY \n\n2004. \n\n2\n  OIG Report 02-04, Recommendation #22 \n\n3\n  OIG Report 02-04, Recommendation #10 \n\n\n\n                                                     4\n\n\x0cEvaluations Conducted During FY 2004\n\nDuring FY 2004, the OIG continued to provide oversight to the RRB\xe2\x80\x99s information security\nprogram by conducting reviews of mainframe access controls at the application level. We\nassessed the effectiveness of agency procedures and controls in limiting and detecting\naccess to the major application systems that support financial management, RRA and\nRUIA benefit payment operations.\n\nIn general, audit testing disclosed that the agency\xe2\x80\x99s review and re-authorization process is\nnot adequate to ensure that users of these major application systems are limited to only\nthe privileges required for the performance of their current job. We also observed that\nsystem features designed to ensure accountability for changes to certain security settings\nhave not been implemented, and that the approval settings that control transaction\nprocessing and data entry are not consistently applied.4\n\nIn-House Developed Applications\n\nThe approximately 45 systems that support RRA and RUIA benefit payment operations\nwere developed in-house by the RRB\xe2\x80\x99s Bureau of Information Services. Security for these\nsystems is controlled by commercial software products: CA-ACF2, an access control\nsoftware package, or IDMS, a database management system.\n\nWe performed tests, on a sample basis, of the access privileges of the 1,104 users of\nthese systems. Our tests disclosed that the existing review and re-authorization process\nis not adequate to ensure that system users retain only those privileges required for their\ncurrent jobs. We also identified weaknesses in the implementation of segregation of\nduties that permit some users to perform too many key activities. In addition, one system\nwas initially developed without a \xe2\x80\x9cRead-Only\xe2\x80\x9d access option for those who do not require\nhigher-level privileges. In this case, access cannot be appropriately restricted.\n\nFederal Financial System\n\nThe Federal Financial System (FFS), which includes integrated subsystems for budget\nexecution and procurement management, is a part of the RRB\xe2\x80\x99s major application system\nthat supports financial management. FFS security is controlled by the security functions\nbuilt into the system.\n\nWe performed tests, on a sample basis, of the access privileges of 527 users of this\nsystem which disclosed that existing controls are not adequate to ensure that FFS users\nhave been limited to only those system privileges required for the performance of their\ncurrent jobs. At the time of our fieldwork, the agency had not performed a re-authorization\nreview of FFS access privileges for nearly five years. The last such review had been\n\n\n4\n   \xe2\x80\x9cReview of Information Security at the Railroad Retirement Board,\xe2\x80\x9d February 5, 2002, OIG Report #02-04\nincluded recommendations for improvement to the review and re-authorization process and more effective\nuse of system logging features.\n\n                                                    5\n\n\x0cconducted in 1999; a review scheduled for FY 2003 was not performed. The agency\ninitiated a review after the end of OIG fieldwork in 2004.\n\nWe also observed that FFS features designed to ensure accountability for changes to\ncertain security settings had not been implemented, and we questioned the level of\nassurance provided by current document approval settings.\n\nProgram Accounts Receivable System\n\nThe Program Accounts Receivable (PAR) system, part of the Financial Management\nmajor application system, supports financial accounting for RRA and RUIA program debt.\nThe PAR system is not integrated with FFS and has its own, separate, built-in security\nfunctions.\n\nWe performed tests, on a sample basis, of the access privileges of 669 users of this\nsystem which disclosed that existing controls are not adequate to ensure that PAR system\nusers have been limited to only those system privileges required for the performance of\ntheir current jobs.\n\nOur fieldwork disclosed that the agency had not performed a re-authorization review for\nthe PAR system since FY 1998; the review scheduled for FY 2003 was not performed.\nAlthough a re-authorization review was performed during FY 2004, the information\nprovided to supervisors did not include sufficient detail about the specific privileges\ngranted to individual employees to provide a basis for an effective re-authorization\ndecision.\n\nWe also observed that PAR system features designed to ensure accountability for\nchanges to certain security settings had not been implemented and that the approval\nsettings that control transaction processing and data entry were not consistent across\nprograms.\n\nCA-ACF2 Controls Could Be Strengthened\n\nThe RRB has not implemented adequate controls to ensure that CA-ACF2 security\nsettings implement management\xe2\x80\x99s policies.\n\nThe RRB has established policies and procedures that govern the key features of system\nsecurity including password management, implementation of upgrades, and the restriction\nof special privileges. We observed weaknesses in the management of passwords and\ninactive accounts as well as the implementation of global system options and special\nprivileges that, when taken together, undermine the effectiveness of the RRB\xe2\x80\x99s information\nsecurity program.\n\nInitial access to the RRB\xe2\x80\x99s mainframe computer is controlled by CA-ACF2. CA-ACF2\nsecurity features include both global system options, which apply to all system users and\nspecial, high-level privileges for some users. System accounts may be granted to\nindividual users or set-up as a \xe2\x80\x9cgeneric \xe2\x80\x9c to facilitate use by groups of individuals or\nsystem-to-system communication.\n                                             6\n\n\x0cPassword and Account Management\n\nThe RRB has not established a policy requiring individual or generic inactive accounts to\nbe removed from the system. In addition, many generic accounts are established with a\npassword that never expires. The lack of adequate policy and related controls and\nprocedures to govern account management has resulted in a large number of system\nusers, both individual and generic, that have inactive accounts and/or passwords that\nnever expire. Our review disclosed that of 485 generic accounts, 188 do not carry a\npassword expiration requirement and 143 have not been used in over one year.\n\nGlobal System Options\n\nBIS did not implement recent enhancements to the global system options that would bring\nsystem operation more closely in compliance with agency password management policy\nuntil those settings were identified by the OIG. In August 2003, the RRB upgraded its\nversion of the CA-ACF2 software. The upgraded software provided for a closer fit\nbetween the agency\xe2\x80\x99s password policy and the security configurations within CA-ACF2.\nHowever, BIS had not implemented the new features.\n\nOur review of global system settings also disclosed that the RRB has not implemented all\nsettings required for compliance with the information security requirements of the Internal\nRevenue Service. The Internal Revenue Service mandates certain security configurations\nwhen Federal tax information is maintained in a system.\n\nSpecial Privileges\n\nBIS has not implemented policies and procedures to ensure that adequate documentation\nis maintained to support decisions to grant or modify the special privileges within CA-\nACF2.\n\nIndividuals who hold various special privileges are able to perform high risk activities within\nthe system. During our review, we questioned the adequacy of documentation to support\nspecial privileges granted, including five individuals whose special privileges were not\nrequired for their current jobs. In addition, the system creates logs that track changes\nmade by system administrators, including special privileges; the logs are not subject to\nroutine, periodic review.\n\nRecommendations\n\nWe recommend that BIS:\n   1. \t establish a policy defining \xe2\x80\x9cinactive\xe2\x80\x9d status with respect to individual accounts and\n        requiring the periodic review and deletion of such accounts;\n   2. \t establish a policy defining \xe2\x80\x9cinactive\xe2\x80\x9d status with respect to generic accounts and\n        requiring the periodic review and deletion of such accounts;\n\n\n\n                                              7\n\n\x0c    3. \t establish a password expiration requirement for generic accounts other than those\n         that are exclusively system-to-system access.\n    4. \t review global system settings and make changes as necessary to ensure\n         compliance with Internal Revenue Service requirements;\n    5. implement an annual review of all special privileges;\n    6. maintain documentation to support changes to special privileges; and\n    7. \t require periodic review of the logs that record changes made by system\n         administrators.\n\nManagement\xe2\x80\x99s Response\n\nManagement concurs with the OIG\xe2\x80\x99s findings and plans to implement either the\nrecommended corrective action or an appropriate alternative.\n\nThe full text of the Chief Information Officer\xe2\x80\x99s response is included as Appendix II to this\nreport.\n\n\nSelf-Assessment Not Performed\n\nSecurity self-assessments were not performed during FY 2004 for the nine RRB systems\nwhich contain sensitive information.\n\nFISMA requires annual evaluations of Federal information security programs. OMB has\nissued guidance regarding the extent of the annual reviews which are dependent upon an\nevaluation of risk and the comprehensiveness of last year\xe2\x80\x99s review. At a minimum, the\nNIST self-assessment tool (or an equivalent) should be used.\n\nThe OIG evaluated the RRB\xe2\x80\x99s FY 2002 self-assessment process and reported that the\nprocess was not effective in assessing the current status of the RRB\xe2\x80\x99s security program as\na basis for future improvement.5 At that time, the OIG recommended that BIS take action\nto ensure that the agency\xe2\x80\x99s self-assessment process is complete, credible and\ncomprehensive with respect to NIST objectives, elements, and techniques; and provides a\nconsistent basis for assessing changes in the agency\xe2\x80\x99s security status from year to year.\n\nAlthough the RRB implemented the NIST self-assessment methodology during FY 2003,\nthe previously recommended corrective actions have not yet been completed and gaps in\nthe collection of data will impede the overall effectiveness of the improvement process.\nNo further recommendations are being offered at this time.\n\n\n\n\n5\n\xe2\x80\x9cEvaluation of the Self-Assessment Process for Information System Security,\xe2\x80\x9d December 27, 2002, OIG\nReport #03-02.\n\n                                                  8\n\n\x0cComputer Security Plans\n\nThe computer security plan for payment of RUIA benefits, a major application system,\ndoes not comply with OMB and NIST requirements. OMB and NIST have established\nbasic requirements for preparation and maintenance of system security plans including a\ndescription of the system environment and the controls in place.\n\nWhen the Office of Programs evaluated the computer security plan for payment of RUIA\nbenefits in March 2004, they determined that no changes were required from the previous\nversion which had been prepared May 2002. That determination did not include\nconsideration of a web based, public access component system that went into production\nlater in March 2004.\n\nRecommendation\n\nWe recommend that:\n\n   8. \t the Office of Programs update the computer security plan for the major application,\n       payment of RUIA benefits, as necessary, to ensure completeness.\n\nManagement\xe2\x80\x99s Response\n\nManagement agrees with the recommendation and will be incorporating references to the\nnew RUIAnet system as appropriate.\n\nThe full text of the Office of Program\xe2\x80\x99s response is included as Appendix III to this report.\n\n\nAcceptance of Systems Development Projects\n\nFormal acceptance of systems development projects does not require the signature of a\nsenior agency official with budget authority.\n\nOMB Circular A-130, Appendix III requires pre-implementation security authorization of\nnew systems by a management official with responsibility for the organization supported\nby the system. NIST also requires authorization of information systems to be given by a\nsenior management official. Management\xe2\x80\x99s authorization should be specific as to\nacceptance of security-related risk.\n\nWithin the RRB, user organizations accept and authorize new systems and system\nmodifications using RRB FORM G-872 \xe2\x80\x9cSign Off Sheet\xe2\x80\x9d which is typically executed by\nuser analysts and managers below the level of \xe2\x80\x9cSenior Agency Official.\xe2\x80\x9d\n\n\n\n\n                                              9\n\n\x0cIn FY 2003, the OIG recommended that the RRB implement a formal certification and\naccreditation process that would place the acceptance of system security risk with a higher\nlevel of management.6 The agency rejected that recommendation because NIST\nguidance requiring such a process had not yet been finalized.\n\nRecommendation\n\nWe recommend that:\n\n    9. BIS implement a NIST compliant certification and accreditation program.\n\nManagement\xe2\x80\x99s Response\n\nManagement concurs with the recommendation and will modify and/or develop system\nacceptance and authorization procedures for new systems and major system modifcations\nin accordance with OMB Circular A-130, Appendix III and NIST Special Publication 800-\n37, \xe2\x80\x9cGuide for the Security Certification and Accreditation of Federal Information Systems.\xe2\x80\x9d\n\nThe full text of the Chief Information Officer\xe2\x80\x99s response is included as Appendix II to this\nreport.\n\n\n\n\n6\n \xe2\x80\x9cReview of the Systems Development Life Cycle for End-User Computing,\xe2\x80\x9d September 8, 2003, OIG Report\n#03-10.\n\n                                                 10 \n\n\x0c                                                                                                                        Appendix I\n               SUMMARY OF AUDIT RECOMMENDATIONS PERTAINING TO INFORMATION SECURITY\n                                       As of March 31, 2004\n\n                                                                                     RECOMMENDATIONS FOR CORRECTIVE ACTION\n\n                                                                          REPORT\n                                                                           DATE       OFFERED     REJECTED    IMPLEMENTED\n  National\n  Security     Information Systems Security Assessment Report             06/28/00      19            5            11\n  Agency\nOIG Report     Review of RRB\xe2\x80\x99s Compliance with the Critical\n                                                                          08/09/00       2            -             2\n  #00-13       Infrastructure Assurance Program\n\nOIG Report     Review of Document Imaging Railroad Unemployment\n                                                                          11/17/00       3            -             2\n # 01-01       Insurance Act Programs\n\n  Blackbird\n               Site Security Assessment                                   07/20/01      12            2             9\nTechnologies\n\n  Blackbird\n               Security Controls Analysis                                 08/17/01      38            3            32\nTechnologies\n\nOIG Report     Review of Information Security at the Railroad\n                                                                          02/05/02      28            -            15\n  #02-04       Retirement Board\n               Review of the RRB\xe2\x80\x99s Controls Over the Access,\nOIG Report\n               Disclosure, and Use of Social Security Numbers by          08/26/02       1            -             1\n # 02-11\n               Third Parties\nOIG Report     Fiscal Year 2002 Evaluation of Information Security at\n                                                                          08/27/02       3            -             2\n # 02-12       the Railroad Retirement Board\n\nOIG Report     Evaluation of the Self-Assessment Process for\n                                                                          12/27/02       4            -             -\n  #03-02       Information System Security\n\nOIG Report     Evaluation of the RRB E-Government Initiative: RUIA\n                                                                          12/27/02       9            -             8\n # 03-03       Contribution Internet Reporting and Payment\nOIG Report     Review of the Railroad Retirement Board\xe2\x80\x99s\n # 03-09       PIN/Password System for On-Line Authentication             09/08/03       3            -             -\n\n\n\n\n                                                                   11 \n\n\x0c                                                                                                                      Appendix I\n             SUMMARY OF AUDIT RECOMMENDATIONS PERTAINING TO INFORMATION SECURITY\n                                     As of March 31, 2004\n\n                                                                                   RECOMMENDATIONS FOR CORRECTIVE ACTION\n\n                                                                        REPORT\n                                                                         DATE       OFFERED     REJECTED    IMPLEMENTED\nOIG Report   Review of the Systems Development Life Cycle for\n # 03-10     End-User Computing                                         09/08/03       7            -             -\n\nOIG Report   Fiscal Year 2003 Evaluation of Information Security at\n # 03-11     the Railroad Retirement Board                              09/15/03       3            1             2\n\n\n                                                                                     =====        =====         =====\n                                                                                      132           11            84\n\n\n\n\n                                                                 12 \n\n\x0c\x0c\x0c\x0c\x0c'